nsag-wp

8/3/2019 nsag-wp

1/16

SAP Network Services

Best Practices

Network Services AdvisoryGroup

27 September 2006 1.0

[email protected]://esc.sap.com

8/3/2019 nsag-wp

2/16

Table of Contents

1 Introduction...........................................................................................12 General Application and IT Trends .....................................................13 The SAP Application Environment .....................................................24 SAP Application Landscape Characteristics.....................................35 Performance Considerations...............................................................35.1 Transport and Application Optimizations......................................................... 45.2 Server and Data Center Optimization.............................................................. 55.3 Route Optimization and Data Prioritization...................................................... 55.4 Security of Performance Solutions .................................................................. 55.5 Performance Monitoring and Management ..................................................... 66 Security considerations.......................................................................66.1 Access (VPNs and SSL encryption)................................................................ 76.2 Client security ................................................................................................. 76.3 Firewalls ......................................................................................................... 86.4 Vulnerability assessment and management.................................................... 97 Reliability/Availability Considerations................................................97.1 Load balancing ............................................................................................... 97.2 Terminal Services/User Interface Virtualization............................................. 108 Overview of Solutions........................................................................108.1 SAP In-Built Network Services...................................................................... 108.2 Point Solutions.............................................................................................. 118.3 Integrated Solutions...................................................................................... 118.4 Managed Services ........................................................................................ 119 Key Considerations for Selecting a Solution...................................1210 Conclusion..........................................................................................1311 Acknowledgements............................................................................13Appendix A:.....................................................................................................14

8/3/2019 nsag-wp

3/16

2006SAP LABs

SAP Enterprise Service Community: SAP Best PracticesSeptember 27

th, 2006

Page 1

1 Introduction

SAP is the recognized leader in providing collaborative business solutions for all types of indus-tries and for every major market. SAPs software is the operational lifeblood of over 33,000 globalenterprises today. As the internet and network technologies have rapidly evolved, so has the way

enterprises deploy and use SAP applications to effectively run their business.

SAP recognizes the importance that the underlying network infrastructure plays in ensuring SAPapplications run smoothly and securely in this new environment. Therefore, SAP has workedclosely with its network infrastructure partners in an Advisory Group of the SAP Enterprise Ser-vices Community to deliver this best-practices document which it feels will benefit all its enter-prise customers.

This document is intended to educate the reader on networking best practices and concepts fordeploying SAP applications in todays extended enterprise environment. The goal is to help appli-cation and network infrastructure departments to better cooperate during the earliest planningstages of SAP deployments to ensure these mission-critical applications are implemented in themost secure, reliable, and highest performing ways possible.

2 General Application and IT Trends

There are a number of important trends affecting the way todays enterprises use and deployinformation technology and software applications in order to remain competitive.

Globalization and Mobility: Organizations have established branch offices in far-flung locationsaround the world. Moreover, the typical employee is now very mobile, needing access to criticalbusiness applications from anywhere, anytime, and from any device (laptop, PDA, etc.).

The Extended Enterprise: Corporate boundaries are no longer static and easily definable as thenew, extended enterprise has been opened up to include partners, suppliers, customers, andcontractors.

Web-Enabled Applications: As the Internet and the World Wide Web have permeated both ourpersonal and business lives, TCP/IP and HTTP have become the de-facto protocols of choice forapplications. As a result, most software vendors, including SAP, have migrated their most criticalapplications to a web-based architecture. In addition, the next generation of web-based commu-nications has also begun to gain momentum Web Services and Service Oriented Architectures.

Centralization and Compliance: Although the enterprise itself is now extended and globallydistributed throughout the world, the applications themselves are being moved back to the corpo-rate datacenter. This centralization is being driven not only by the need to reduce cost, but evenmore by new regulatory compliance laws such as Sarbanes-Oxley, GLBA, HIPAA, and others.

All these trends have created new challenges for IT departments both small and large as they tryto satisfy the demands of both its end users and the CFO. These demands include providingseamless, secure access to applications, as well as a consistent user experience, with high per-

formance and high-availability for users everywhere at the same or reduced costs.

Therefore, it is important that application and network infrastructure groups work closely togetherfrom the earliest planning phases of new application implementation projects. This paper will helpto give each side an introduction into the other sides world.

8/3/2019 nsag-wp

4/16

2006SAP LABs


th, 2006

Page 2

3 The SAP Application Environment

The business needs of todays enterprises, in particular the push for enterprises to globalize, aredriving the evolution of ERP (Enterprise Resource Planning) software as a platform for transition-ing to an Enterprise Service Oriented Architecture (E-SOA). E-SOA is intended to support the

business processes of the extended Enterprise, which encompasses a corporation and all itsglobal subsidiaries, business partners and customers.

While classical ERP applications are mostly headquarter-centric software deployments with ap-plication servers and end users in a shared local area network environment, E-SOA applicationsoftware components and end users are spread out world-wide and connected via a wide-areanetwork infrastructure. An ERP transaction is usually executed by a specialized employee, forinstance a procurement manager, who creates a purchase order. By webservice enabling suchrather atomic create PO types of transactions, it becomes easier to integrate applications,chaining many such transactions together to achieve the overarching business process of acomposite application.

Classical ERP systems (CRM, SRM, APO) remain the backbone of composite applications, whichare made up of web-service wrapped ERP transactions. In addition, business functions from out-side partners (e.g. transportation, banking organizations) can be integrated with the same style ofstandards-based web-service calls.

Coming from this business application-centric view, it is important to recognize that the differentparts of a composite application need to connect end-users with different business functions inERP systems and also connect a variety of ERP systems which reside in one or more differentcompany datacenters and might also reside outside a companys network, for instance linking to

a business partners ERP systems.Not having all business connectivity in a local LAN adds fundamentally new requirements forsupporting network services in a distributed application deployment:

Performance: Transmitting data around the world can be slowed significantly due to un-avoidable network latency times and network congestion.

Reliability: The network links and services themselves need to be designed for end-to-end reliability.

8/3/2019 nsag-wp

5/16

2006SAP LABs


th, 2006

Page 3

Security: Since company boundaries have been expanded to include connectivity to ex-ternal parties and access to a companys confidential business applications, all commu-nications should be secured.

Costs: The increased overall complexity of IT needs to be considered in estimating theoverall cost of application development.

Security and performance are sometimes contradictory requirements in the sense that strongsecurity often has a negative impact on performance and vice versa. Some performance optimi-zation techniques require unencrypted, thus un-secured, data access. The always importantquestions of how to build a highly reliable IT solution at reasonable costs also exist for E-SOAbased solutions.

Therefore, it is essential for any web-enabled and web-service based application implementationproject to consider the impact on, and requirements for a companys network infrastructure fromthe earliest planning stages. It cannot be overstated - application and network groups in the ITdepartment need to cooperate very well for smooth world-wide application deployments at rea-sonable costs.

4 SAP Application Landscape Characteristics

One major characteristic of E-SOA is that besides end-user WAN traffic there will be a growingamount of application-to-application (A2A), web-services-call facilitated communications overlong distances. The business application processing itself will be more distributed due to:

Operation of multiple corporate data centers throughout the world.

Communication with the external datacenters of hosting and business partners.

Small local business applications in branches such as retail stores, warehouses andother remote offices, reporting to ERP applications in regional and global datacenters.

The need to integrate applications from small businesses with those of large enterprises.

The scale of a global network infrastructure for an enterprise can be very large - interconnectivityof up to a dozen datacenters, hundreds or thousands of branches and 10,000 or more users

might need to be supported. Besides business application specific network traffic, companiesmight want to route VoIP, media streaming and other data over their company extranet and theInternet.

Most organizations operate a mixture of current and older SAP releases. Technologies like theSAPGUI front-end still need to be supported and in some instances might even have additionaluses in remote sites. In the future, further user interface innovations for Microsoft Office tool inte-gration, flash support and other features will be moved to productive system landscapes. Networkproducts and services should be extendable to future use cases.

A good network infrastructure can help to satisfy the key requirements of web-centric SAP appli-cations for reliability, security, performance and cost effectiveness with features which can not beprovided by application software layers alone.

More details are laid out in the following chapters, in particular for the crucial topics of perform-ance (Section 5), security (Section 6), and reliability (Section 7).

5 Performance Considerations

In order to evaluate a solution that both addresses the problem you are experiencing and pro-vides the best fit with your application and network infrastructure environment, it is important tounderstand the different underlying technologies leveraged by available solutions. For this pur-

8/3/2019 nsag-wp

6/16

2006SAP LABs


th, 2006

Page 4

pose, it is important to assess the available technologies considering their impact on perform-ance, security, manageability, reliability and availability.

To address the performance obstacles of delivering SAP applications in this new global, distrib-uted environment, there are a number of technologies that have been developed to eliminate ormitigate the different causes of poor performance. As discussed later in this white paper, thesetechnologies are used in various degrees and combinations by point, integrated and managed

service-based solutions. The different categories of performance improving technologies include:WAN Optimization, Server and Data Center Optimization, Route Optimization and Data Prioritiza-tion.

It is important to carefully consider these technologies because they can dramatically improve thecombined SAP application and network performance.

5.1 Transport and Application Optimizations

TCP Optimization: TCP optimization minimizes one of the greatest single causes of WAN-induced latency by reducing the number of round trips required to deliver data. The level andimpact of TCP optimizations vary based on the underlying architecture of the appliance or man-aged service, but they are all collectively focused on eliminating the effects of TCP chattiness by

reducing the number of connection set-ups and tear-downs. This is achieved through establishingpersistent connections, eliminating delays due to sequencing through pipelining, optimizingthroughput by maximizing data packet block size (TCP/IP window size) and by eliminating re-transmit delays resulting from packet loss.

Compression: Compression provides two benefits. First, compression techniques reduce thetotal size of the data payload which results in an increase in total data delivery throughput and areduction in data delivery times. Compression technologies include more than simple file com-pression for instance, de-duplication recognizes repeated data patterns at the block or file leveland replaces duplicated blocks with small symbols, greatly improving throughput. Some systemscan perform de-duplication across multiple TCP or user sessions, further reducing the amount ofdata transmitted and increasing efficiencies. Some appliances or managed services can offloadcompression from the Web server, freeing server resources that would otherwise be required toperform this function. Compression can require significant processing power, especially when the

goal is to operate at wire speeds, compressing data in real time without adding latency.

Caching: Caching technologies also deliver dual benefits. First, caching frequently requestedobjects closer to the end-user reduces the total time to download a page because the networkproximity to the object is reduced. The level of improvement in this case will vary based on theunderlying architecture and deployment location of the appliance (in the data center or branchoffice), or at an Internet point of presence (POP), which caches data at locations near the enduser. Second, caching frees server resources by offloading the serving of the cached content tothe appliance or managed service, thus giving the server more resources to process page re-quests.

Application Layer Protocol Optimization: In addition to being able to optimize the TCP proto-col, WAN Optimization technologies apply acceleration techniques to improve the performance ofapplications that use chatty protocols and formats such as HTTP/HTML and SOAP/XML. These

protocols send data in small blocks that each require an acknowledgement before the next blockcan be sent. A single transaction may need hundreds or even thousands of round-trip times(RTTs) to complete. As a result, performance drops dramatically across a WAN link with evenmodest latency 20 ms or 30 ms frustrating users and seriously hampering productivity. Pre-fetching and pipelining data blocks and web objects across the WAN sends as many in quicksuccession as needed to fill the available bandwidth capacity so that data blocks and web objectsare available locally when requested.

8/3/2019 nsag-wp

7/16

2006SAP LABs


th, 2006

Page 5

5.2 Server and Data Center Optimization

Server Load Balancing: Server load balancing optimizes server performance by balancing trafficamong several servers in one data center, using various algorithms to send the next request tothe least loaded or fastest responding server to ensure maximum application performance andavailability.

Global Load Balancing: Global Load Balancing, which can also be referred to as global trafficmanagement, expands the load-balancing concept by optimizing performance and availabilityamong multiple data centers by routing traffic, based on RTT and availability algorithms, sendinguser requests to the best performing or most available data center from which the application isbeing served.

Link Load Balancing: Link load balancing technologies can also be applied to manage traffic fora data center across multiple links to the Internet, choosing the optimal link for transmitting datato a given location based on performance.

SSL Offload: SSL offload technologies perform the CPU-intensive task of encrypting and de-crypting SSL traffic for a server, leaving the server to process page requests. This may be anexternal appliance or a co-processor card installed in the server.

TCP Connection Management: Like SSL offload, TCP connection management technologiesreduce the burden placed on the Web server by reducing the total number of TCP connectionsthat must be opened, managed and closed through multiplexing techniques, thus providing theWeb server with a greater amount of resources to dedicate to serving requested pages.

Terminal Services/User Interface Virtualization: Using terminal services to provide hostedapplications rather than deploying applications to every users terminal can have substantial per-formance benefits, aside from the savings realized in management, updating, patching and con-figuration of applications. Rather than the entire file being transmitted from a client to the serverevery time the user saves, only screen information is transmitted over the network the applica-tion and data are all on the server to begin with. Both latency and bandwidth utilization can bereduced with this technology.

5.3 Route Optimization and Data Prioritization

Internet route optimization: Internet route optimization technologies improve performance andavailability by routing traffic around broken or poorly performing routes to ensure the users re-quest is served using the best performing and most available path.

Quality of Service (QoS): Quality of Service technologies classify and prioritize traffic based ontraffic type to control bandwidth allocation based on the importance of the traffic. This technologyis well suited for networks that transport a variety of protocols and traffic types, (e.g. HTTP, NFS,CIFS) where priority should be given to a certain class of traffic to ensure end-user responsetimes or meet Service Level Agreements (SLAs). Tightly integrated with QoS technology is policymanagement, which provides the ability to easily manage policies and priorities, based on user,application or other category attributes, and apply the policies to the different classes of traffic onthe network.

5.4 Security of Performance Solutions

For any performance optimization technology, the security implications of deploying a solutionthat incorporates the technology should be carefully considered. For example, the deployment ofpoint, integrated or managed service solutions that accelerate application delivery should not inturn introduce new security vulnerabilities. Planners should ensure that solutions are not easilyhijacked or susceptible to man in the middle attacks or distributed denial of service attacks.

8/3/2019 nsag-wp

8/16

2006SAP LABs


th, 2006

Page 6

5.5 Performance Monitoring and Management

In addition, a critical part of any strategy for improving performance is monitoring how well theapplication is performing and to respond quickly when problems occur, ensuring reliability. It iscritical to ensure that both individual applications and the network infrastructure are available andresponding properly, since both influence end user performance experiences.

It is important to monitor the performance, availability and utilization of servers and applications atthe individual level, as well as in the context of the entire application infrastructure. In manycases, this can be done using native monitoring probes, APIs or reporting consoles provided withthe hardware or software, or using management standards such as SNMP to collect and integratemonitoring data into an enterprise-wide management framework. In the case of managed ser-vices, customer portals and APIs are provided to achieve a similar level of visibility.

A management framework can also often be used to actively manage servers, applications, ap-pliances and other network nodes, enabling technicians to receive alerts and respond within asingle application. Whether this is the case or not, it is not enough to instrument applications, it isalso necessary to ensure action is taken when necessary.

It is also important to monitor what end-users are experiencing, both availability and responsetimes of applications, for critical functions, such as logging in, or submitting forms. There are two

classes of technology available to provide this perspective: a) synthetic; and b) real-user.

Synthetic monitoring is a proactive management approach that uses agents (typically deployed atvarious points around the Internet) to mimic end-users by requesting a page or sequence ofpages to measure response times and availability against defined thresholds, sending alerts ifperformance degrades or servers become unavailable. Real-user monitoring captures the actualresponse time and availability experience of real end users by logging the traffic flow between theend-user and server. Since both technologies have unique capabilities, deploying a combinationof the two will ensure optimal visibility into the health of the application and network.

6 Security considerations

Security is a vertical topic which touches both the network layer and the application software

layer. In the simplest case, the SAP web application server can provide basic security features.Common SAP web application servers can be configured with the following:

SSL termination, if security from the data source onward is needed.

User authentication and authorization, to give each end user access to business proc-esses and data based on their job function or role.

The composite application layer of E-SOA itself also acts effectively as an access controlfilter for ERP backbone data.

These security features will address the fundamental concerns for access to the application, butin reality a secured application server cannot protect and guarantee full-time availability of busi-ness data as a standalone device. It cannot address industry-wide issues seen by enterprises ona daily basis by itself.

These issues include outside hackers, employees attempting to access unauthorized material,and denial of service attacks (DoS), protocol-based attacks that attempt to overwhelm companysystems. Hackers may try to guess passwords, intercept unencrypted communications, bypassapplication security with attacks that exploit a weakness in the software, find backdoor weak-nesses including unprotected accounts or admin accounts that have the default passwords andmore.

A commonly accepted security strategy is to build up a multilayered defense where network secu-rity services and application security complement each other. This security strategy should span

8/3/2019 nsag-wp

9/16

2006SAP LABs


th, 2006

Page 7

across three domains the network, the client side end point, and the data center. Security con-siderations should focus on threats, vulnerabilities, and methods of mitigation. The following sec-tions will address the areas of access, endpoint security, firewalls, and vulnerability assessmentand management.

6.1 Access (VPNs and SSL encryption)

Without question, remote access is a critical component of an enterprise application. Mobile users(including internal employees, consultants, business partners, and customers) require secure andeasily configured access to corporate applications over the Internet. Connectivity to corporateapplications through VPNs and SSL encryption has become the industry standard for secureaccess to public-facing applications.

For many years IPSec VPNs were the predominant method of secure remote access, but SSLVPN adoption has been steadily increasing. There are substantial architectural differences be-tween SSL and IPSec VPNs. Since IPSec is based on network layer tunneling technology - tun-neled traffic is indiscriminately passed from end to end and supports all types of application traf-fic. This tunneling technique is great for supporting many types of applications, but user transpar-ency is reduced since users depend on the operation and maintenance of an installed IPSecclient. SSL VPNs make use of the ubiquitous web browser as the client interface and are consid-

ered more user transparent than the IPSec client. Using the web browser allows SSL VPNs tooffer virtually anywhere, anytime access without requiring a pre-installed client, enhancing busi-ness productivity and reducing client support costs.

SSL VPNs are implemented at the transport layer and can also be deployed as a proxy, providinggranular levels of control at the transport layer as well as maintaining a logical separation be-tween the user and the application environment. SSL VPNs also provide granular application, fileand URL-level access control and client security capabilities that can enable administrators todynamically control access to applications based on the identity of the user and an assessment ofthe client endpoint. This allows enterprises to use SSL VPNs to securely provision access in adiverse range of use cases including employee remote access, partner and customer extranets,and emergency or disaster scenarios. SSL VPNs also utilize the common HTTPS (port 443) pro-tocol, eliminating the need to pass non-standard ports through the firewall. This alleviates manyof the common connectivity issues associated with IPSec VPNs.

In addition to securing access to applications through VPNs, SSL encryption can be implementedon web servers, using secure HTTPS rather than HTTP. Early on, servers typically handled all ofthe SSL connections, but often the CPU processing overhead associated with encryp-tion/decryption and key handling of SSL transactions had a negative impact on CPU utilization,affecting performance and scalability. SSL offload appliances or co-processor cards can addressscalability issues and provide encryption for the entire application transaction. For environmentsthat require end-to-end encryption, SSL appliances can encrypt/decrypt connections from theclient, but can also re-encrypt the connections to the back-end servers, which is important forother network services which need clear text data for their operation like load balancers and WANaccelerators.

6.2 Client security

Enterprises have several new challenges when it comes to protecting sensitive data. A wide di-versity of client end points, such as laptops, PDAs, cell phones, browsers, coupled with highlymobile enterprise data, and a variety of delivery methods, combine to dramatically increase therisk of significant data theft.

In particular, inadequate enforcement of endpoint security has been directly responsible for thesuccess of the recent spate of worms and other fast-moving threats. These security breacheshappened because of a lack of direct enterprise control and enforcement of endpoint policies,

8/3/2019 nsag-wp

10/16

2006SAP LABs


th, 2006

Page 8

including up-to-date antivirus protection, host intrusion prevention, acceptable configuration ofhardware and software and a limit on running processes.

Client-side security systems allow security managers to enforce compliance initiatives by deter-mining the location of the system a client is requesting information from, or even taking inventoryof a client system and controlling access based on whether the required security software is in-stalled or not. Administrators should be able to set access policies based on a combination of

variables. For example, a user may be authorized to have read/write access to information withinthe enterprise LAN environment, but when the same user seeks access to the same resourcesfrom a different environment, such as a public Web browser or an airport wireless access point,the access policy may deny access to sensitive information. This capability can be particularlyvaluable for compliance-sensitive organizations and those dealing with personal data that can beused for identify theft.

A security policy may also mandate that sensitive information remain in the data center and thatusers must view the data without being able to create a local copy that could move beyond thecontrol of the enterprise. End-point analysis and access control through policies will limit non-compliant access and can mitigate the risk of exposing sensitive information.

Another approach to secure access and control of enterprise information is to host the end userenvironment in a centralized data center. This enables the data center administrators to directly

control the deployment of endpoint security measures within that environment. For example, us-ing a remotely presented secure browser can prevent downloading of uncontrolled Java appletsand ActiveX controls to the client. Not only does this help to control unauthorized data transmis-sion between the client and the data center, it can also be an effective protection from threats thatseek to leverage browser hijacking, a technique used in phishing and other attacks.

In short, proper end point security begins with access-specific policies that dictate which accessmethods each user must use for each type of data.

6.3 Firewalls

An effective firewall strategy consists of protecting the various layers of the enterprise applicationinfrastructure, particularly the network layer and the application layer. Protection of the networklayer from protocol-layer attacks such as Denial of Service (DoS) and limiting access to the cor-porate network using Network Address Translation (NAT) and other technologies should be im-plemented at the perimeter firewall. Firewalls are also being deployed in the LAN to provide de-partmental security and as part of network access control schemes in conjunction with client se-curity.

Network-layer firewalls are designed to provide access control and statefully inspect IP packets todetermine what traffic is permitted to enter or exit a network. Protocols like telnet and ftp, andspecific URL accesses via HTTP or HTTPS are only allowed through the firewall when legitimaterequests for application access are made. Application-layer firewalls, which can be intrusion de-tection or prevention devices or network-based firewalls combined with intrusion prevention func-tionality perform deep inspection of IP packets in order to understand the application trafficwithin. These devices can detect patterns (attack signatures) or anomalies (traffic and/or protocol)created by malicious users or malicious code (e.g. worms) to exploit application vulnerabilities

and then can block these attacks before they reach their target. Application-layer firewalling canprotect all types of packaged and custom client-server or web-based applications. .

With the increasing importance of web-based software technologies, web-based applications arereceiving increased scrutiny

For example, most applications do not validate user inputs to an HTML application. The failure toinspect and validate inputs can render an application vulnerable to a myriad of application-layerattacks, such as buffer overflows or cross-site scripting. An application-layer firewall can stopthese attacks.

8/3/2019 nsag-wp

11/16

2006SAP LABs


th, 2006

Page 9

The most common web application layer security threats are well summarized in the OWASPTop Ten Project. Further details on these important top ten security threads can be found at:

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

HTML-based applications are not the only targets. Many companies use XML interfaces to pro-vide access to older legacy applications that were never meant for external users and have neverbeen hardened against attack. Applications originally designed to serve only trusted users arenow accessed via the Internet by customers and business partners and by hackers who caneasily exploit self-describing XML interfaces to inject malicious inputs into applications.

6.4 Vulnerability assessment and management

Given the frequent discovery of new vulnerabilities, there is a need for a management system toprovide assurance that all assets are monitored for policy compliance and for the presence ofvulnerabilities, and then isolated and remediated as required, regardless of operating system oravailability of security patches. Tasks such as detailed asset inventories, patch management,configuration management, attribute monitoring, and audit logging for network and system ad-ministration are implemented as needed to support the core mission of the security administrator.

The benefits of a vulnerability assessment and management system are to minimize risk by pro-

actively providing updated patches and countermeasures to attack propagation. The vulnerabilitywindow can also be minimized by log consolidation and log correlation.

7 Reliability/Availability Considerations

Application reliability and availability can be improved at several levels. In addition to purchasingredundant WAN links through a telecom provider, companies can also implement load balancingat the local and global level, as well as application and server virtualization.

7.1 Load balancing

Load balancing is a ubiquitous technology and its deployment is quite straightforward in purely

local scenarios. In a local load balancing deployment, the incoming traffic is distributed (balanced)among a group of servers within the same datacenter. Multiple load balancers can also be de-ployed for reliability and high availability so that if one fails there are others to service incomingrequests. Beyond basic distribution of loads, most load balancers can check for availability ofspecific servers and applications, protect against DDOS attacks and provide other additionalfunctionality to accelerate application performance.

With more and more focus on 24x7 availability, 100% redundancy, and disaster recovery even incase of entire datacenter failures, local load balancing is often not enough. If the entire datacenternetwork becomes unavailable or if the datacenter becomes inoperative due to natural or man-made disaster, then users will not be able to access their applications. This is where global serverload balancing (GSLB) comes into play.

Enterprises maintain multiple datacenters across the globe with full data mirroring between sites.

Every datacenter still supports its own local load balancing for the local servers. In addition, asecond layer of load balancing service is added across all the datacenters. This GSLB servicemonitors the available datacenters and ensures that traffic is not directed to a an unavailabledatacenter. In case one of the datacenter goes offline, traffic is diverted to the remaining data-centers. With this infrastructure, even with multiple, simultaneous failures, users are still servedtransparently. In addition, GSLB systems can direct users traffic to the closest datacenter geo-graphically or to the datacenter that responds the fastest or to a localized version of a site.

8/3/2019 nsag-wp

12/16

2006SAP LABs


th, 2006

Page 10

7.2 Terminal Services/User Interface Virtualization

Terminal services allows enterprises to run applications on servers instead of local desktops. Thiscan be accomplished through a terminal server or via web-enabled applications accessed viabrowser. Users access applications remotely and never have to worry about backups, desktopcrashes, security etc. They also do not have to worry about installing and managing their own

application instances. With application virtualization, hundreds to thousands of users can beserved from an application farm without installing applications on individual desktops. Further,when such applications farms are run at multiple datacenters, disaster recovery and high avail-ability become easier. Basically, the user sees a virtual application being served from a remotesite rather than a local application on their desktop.

Another advantage to terminal services is that if a terminal session is interrupted, when the useris able to re-connect, their session is available in the same state it was in before service wasinterrupted. In addition, administration of user services becomes easier, since changes are madeto one set of applications on the server, rather than thousands of individual PCs. Bandwidth utili-zation can also be improved, since the effects of latency for page load and throughput can bereduced by using the specialized protocols available with terminal services.

8 Overview of SolutionsThe modern enterprise is a varied and dynamic organization. No single solution will provide theoptimum answer in every case. Often, planners will combine SAP built-in services, point solu-tions, integrated solutions and managed services to come up with the best solution for their net-work.

The differentiations of needs are often separated by geography, client limitations and securityconstraints. These dynamic environments force IT to look for solutions that can offer immediatebenefit and be deployed with minimal lead time. A hybrid approach can gradually introduce pointsolutions or outsourced services to an existing environment without commitment to long terminvestments or overhauling the current system architecture.

8.1 SAP In-Built Network Services

All SAP application servers of current SAP NetWeaver and older SAP releases come with built-innetwork services for security and WAN performance optimization. These services (gzip compres-sion, connection keep-alive, expiration date tagging of static web content, HTTPS) are softwarebased and make use of operating system and network APIs. As such, they need to be consideredfor the application server capacity planning because they use some system resources. SAP soft-ware-based solutions cannot offer hardware acceleration, TCP/IP stack based optimizations andother improvements which are truly the domain of network devices and network managed ser-vices offerings.

Besides the SAP application servers themselves, SAP delivers a few other WAN relevant soft-ware components like the classic SAPGUI front-end which features a very lean binary protocol,the SAP Router for adding security to SAP proprietary network protocols and the SAP Web Dis-

patcher, a software load balancer and SSL terminator.The strength of these SAP network related features and optimizations is their availability to ITbusiness application groups with the delivery of SAP software right away. In particular for smallproduction, staging, development or similar systems this can be a cost and time saving advan-tage. For larger production deployments, a closer co-operation between application and networkgroups is recommended to establish company wide network services governance policies andoverall network infrastructure optimizations.

8/3/2019 nsag-wp

13/16

2006SAP LABs


th, 2006

Page 11

8.2 Point Solutions

Point solutions are focused on resolving very specific application delivery issues. There are sev-eral benefits to deploying point solutions in an existing applications infrastructure. Point solutionsare often considered best of breed, can be simpler to deploy and manage, and can address veryspecific issues without the complexity of redesigning the system architecture. Since they are spe-

cialized, they can provide a solution to a specific task at a high benefit/cost ratio. For instance,solutions like caching and SSL offload can help maximize application server processing capacityand can be inserted into the existing application landscape with little effort.

Point solutions can help resolve issues in a timely manner because the base management ofthese appliances often comes in the form of an intuitive GUI and can be deployed with virtually noformal training. As the application architecture continues to expand and offer new services, newrequirements can drive demand for more point solutions. In the long run, the deployment of manydisparate point solutions may lead to an increase in complexity because of issues with interop-erability and management of the different systems.

In conclusion, point solutions offer a wide variety of technologies, flexibility, and can address im-mediate application needs, although long term planning for managing separate systems shouldbe carefully considered.

8.3 Integrated Solutions

Integrated solutions are multiple technologies that have been converged into a single platform.This platform can become the foundation of an end-to-end architecture for addressing many dif-ferent business and technical needs. These needs can either be short term and/or long term. Theintegrated system results in a cohesive platform for application delivery, security and manage-ment. There are advantages to combining multiple functions on a single platform.

For example, combining optimization and acceleration features like SSL offload, caching, com-pression and TCP offload can simultaneously improve underlying network performance issuesand reduce load on back-end servers. There are platforms that combine multiple feature setssuch as stateful packet inspection, intrusion detection, SSL termination and more.

An integrated architecture can secure and optimize connections from end-to-end. Client connec-tions would no longer have to traverse separate physical devices and IP stacks for encryp-tion/decryption in order to access cached content.

With the consolidation of features and functionality on the integrated platform, the complexity ofmanaging a growing architecture can be reduced due to the management of fewer physical de-vices. In addition, having one management application that manages several functions reducescapital costs, ongoing operating costs, and training costs. The integration of technologies mayaffect various components of an application and thus multiple organizations within IT; careful andstrategic planning will be required. Sometimes, extended planning and deployment timelines maynot always meet the short term demands of a dynamic environment.

In summary, an integrated solution can improve overall performance, yield operational simplicityand efficiency, but may not always be the ideal solution for every type of deployment.

8.4 Managed Services

A third category of solution is managed services. Contrasted to a point or integrated solution, amanaged service enables a company to leverage a third party network infrastructure to addressthe problems of performance, scalability and security for the delivery of Web applications. Likepoint and integrated solutions, managed services leverage a number of transport and applicationlayer techniques to address the underlying root-cause of performance and scale bottlenecks.

8/3/2019 nsag-wp

14/16

2006SAP LABs


th, 2006

Page 12

These include TCP optimizations, route optimizations, caching, compression, intelligent pre-fetch,SSL offload, and accelerated SSL delivery.

Given a managed service architecture that is distributed at a global level, a managed serviceprovides the benefits of bundling multiple technologies together and having these transport andapplication layer optimizations available on a world-wide scale across varying sizes of user-groups (from individual users to large enterprises) without the upfront capital investment.. In addi-

tion, some optimization techniques, such as caching, object pre-fetch and round-trip reduction,that target distance-induced latency performance issues can potentially provide a greater in-crease in overall application performance if delivered by a globally distributed managed service.Furthermore, the primary burden of ongoing administration and management is left to the serviceprovider. However, a core difference between a service and point or integrated solution approachis that a service solution is limited to Internet-facing applications.

9 Key Considerations for Selecting a Solution

In order to assess which solution and technology sets are best suited to meet your enterprisesneeds and address the network tasks at hand, it is important to consider a number of differentcriteria ranging from the technology and deployment model to the total cost of ownership (TCO).In order to aid the assessment process, the following list provides a set of example points to con-sider when making your evaluation:

Task Analysis

1. In order to meet response time SLAs for your end users would you need to address:

o Distance induced network latency between datacenter and end-users?

o Server response time improvement?

o Or a combination of these and other factors?

2. Are there particular security requirements and policies in your company which need to befollowed?

3. Are there specific business events to plan for from a performance and security aspect?

4. Do you have to extend an existing application landscape in small increments, or are youbuilding a new environment from scratch? How quickly do you need to become produc-tive with a new solution?

Application and End-User Environment

5. What is the end-users work environment?

o Are they working exclusively in remote offices? Or are they connecting individu-ally to your applications via the Internet?

o Are they distributed evenly across a wide geographic area or clustered in a fewareas?

o Does your IT control the end-users laptop or desktop machines? Do you also

have to accommodate external, non-employee end users?6. How are the end-users currently accessing the application?

o Are they accessing the application over the Internet?

o Are they accessing the application via an intranet environment?

7. What are the integration requirements to interoperate with existing applications andserver infrastructures?

8/3/2019 nsag-wp

15/16

2006SAP LABs


th, 2006

Page 13

Total Cost of Ownership

8. What are the appliance costs or service fees for a network solution?

9. What are the initial implementation requirements and costs?

10. What are the expected ongoing administration and management costs?

While there could be a number of additional questions spawned from the questions listed above,this list, in combination with the information in this whitepaper on the available technologies andsolutions will narrow down the types of solutions to evaluate. For more help on planning out yournetwork infrastructure please contact your preferred network vendor.

10 Conclusion

Challenges for the solutions architect will continue to increase, and to spread into areas otherthan simply building the application. Solutions architects need to consider the broad issues ofglobalization, user mobility, the extended enterprise, web-enabling and service-enabling the ap-plication, centralization of IT and compliance requirements. In addition network reliability andperformance, and security have to be part of any implementation planning and execution programand cannot be left entirely to others the solutions architect must consider how they will impacteach other and application usage.

The most critical lesson to be learned is that properly functioning large-scale applications willrequire a collaborative effort between software implementers, and developers, network manage-ment staff, and the vendors who create the applications and extensions. Contact the vendorslisted in the acknowledgements section for more information on optimizing the network for SAPapplications. In addition, look for further documents that will come from the SAP Enterprise Ser-vices Community in the near future that will address these issues and others.

11 Acknowledgements

The following companies have contributed to the development of this document:

Akamai Technologies, Inc., www.akamai.com

Cisco Systems, Inc., www.cisco.com

Citrix Systems, Inc., www.citrix.com

F5 Networks, Inc., www.f5.com

Juniper Networks, Inc., www.juniper.net

Netli, Inc., www.netli.com

Radware Ltd., www.radware.com

SAP AG., www.sap.com

8/3/2019 nsag-wp

16/16

2006SAP LABs


th, 2006

Page 14

Appendix A:

For more detailed background information on TCP/IP, please visit:http://en.wikipedia.org/wiki/TCP/IP

TCP was not engineered for use in the modern network and WAN environment. It uses a verbosequery/response architecture that can quickly increase application response times as latency in-creases, and the large numbers of individual sessions necessary to accomplish a single applica-tion task can produce a lot of communications overhead.

HTTP is engineered primarily as a lowest common denominator to facilitate the Web. Compres-sion and optimization of pages are possible, but not the default behavior. Receiving one webpage can require dozens of HTTP requests, and hundreds of TCP exchanges.

Optimization can happen on all layers of the overall technology stack. On application side SAPdistinguishes roughly between application and the NetWeaver infrastructure layer. The Net-Weaver layer in turn uses non-SAP infrastructure layer such as operating systems, databasesand, increasingly importantly, the network layers. The network layer itself is commonly brokendown in the so called OSI seven layer model.

The application layer of SAP can influence performance just through the design of the businessprocess or transaction flow. Having fewer screens for the end users to go through to achieve acertain task is the most important application design advice. The application layer itself is alsoimportant for security in so far as the business logic considers an end users authorization profileand thus allows access only to such data a user is allowed to work with.

The SAP NetWeaver infrastructure layer provides such network optimizations as can be done insoftware and which are mostly targeted to optimization of the HTTP protocol.

Network devices roughly fall into the categories of TCP/IP protocol level optimizations and highernetwork layer level optimizations.

nsag-wp

Documents

Transcript of nsag-wp